Monday, January 02, 2017

The Customs and Border Patrol Officer, the Search and Unauthorized Access

This post examines an opinion from the Court of Appeals of Michigan:  People v. Glenn, 2016 WL 2731098 (2016). The court begins the opinion by explaining that
Defendant appeals by right his conviction, following a jury trial, of unauthorized access of a computer, [Michigan Compiled Laws] 752.795(a). Defendant was sentenced to two years' probation. We affirm.
People v. Glenn, supra.
The Court of Appeals goes on to explain how and why the prosecution arose, what it involved and why Glenn was convicted:
Defendant, an officer with the United States Customs and Border Patrol (CBP), worked at the Canada–United States border in Detroit, Michigan, during the relevant year of 2013. On January 11, 2013, Amanda Shovlin, with whom defendant had a personal relationship, crossed the border from Canada into the United States, but was detained for secondary inspection prior to entry.
Defendant was not at work that day, but returned to work on January 14, 2013. Video surveillance of the office, in addition to computer monitoring, revealed that defendant searched his TECS computer for Shovlin's name contrary to CBP's TECS use policy, which prohibited officers from searching for information regarding family members and close associates. The policy states in pertinent part:
`Field Operations employees shall not engage in official business involving a family member or a close associate except in the limited circumstances described in 6.2.3 of this section.
* * *’
`Should circumstances arise in which no disinterested field operation employee is on duty and no supervisor on duty[,] a CBP employee is authorized to conduct business with close family or associates as provided under [sic] and list the management directive number.
Further, when an employee accesses the TECS system, a warning banner is displayed on the screen. The banner states the following:’
`You are accessing a [US] off [sic] government information system which includes this computer, the computer network, all computers connected to this network and all devices and storage media attached to this network or to a computer on this network.’
`This information system is provided for U.S. government authorized use only.’
`Unauthorized or improper use or access of this system may result in disciplinary action, as well as civil and criminal penalties. By using this information system. . . . you understand and consent to the following:’
`You have no reasonable expectation of privacy when you use this information system. This includes any communications or data transiting stored on, originated from or directed to this information system.’
`At any time, and for any lawful government purpose[,][t]he government may monitor, intercept, search and seize any communication or data transiting, stored on, originated from or directed to or from this information system.’
`The government may disclose or use any communication or data transiting stored on[,] originated from or directed to or from this information system for any lawful government purpose.’
`You are not authorized to process classified information on this information system.
Defendant was convicted of unauthorized access of a computer contrary to [Michigan Compiled Laws] 752.795(a).’
            `This appeal followed.’
People v. Glenn, supra.
The court goes on to explain that
Defendant argues that he should not have been bound over for trial because the prosecution failed to present evidence establishing probable cause that he had violated [Michigan Compiled Laws] 752.795(a).and also that the statute does not even apply to the conduct of which defendant was found guilty—violation of an internal computer `use’ policy. We disagree.
People v. Glenn, supra.
Next, the court outlined the “standard of review” it uses in reviewing the result in the cases that come before it:
We review `for an abuse of discretion a district court's decision to bind over a defendant.’ People v. Hudson, 241 Mich.App 268, 276; 615 NW2d 784 (2000). `A circuit court's decision with respect to a motion to quash a bindover order is not entitled to deference because this Court applies the same standard of review to this issue as the circuit court.’ Id. `An abuse of discretion occurs when the court chooses an outcome that falls outside the range of reasonable and principled outcomes.’ People v. Unger, 278 Mich.App 210, 217; 749 NW2d 272 (2008). Furthermore, `[a] trial court necessarily abuses its discretion when it makes an error of law.’ People v. Waterstone, 296 Mich.App 121, 132; 818 NW2d 432 (2012). However, `[t]he decision whether alleged conduct falls within the statutory scope of a criminal law involves a question of law, which this Court reviews de novo.’ People v. Noble, 238 Mich.App 647, 658; 608 NW2d 123 (1999).
People v. Glenn, supra.
The opinion then takes up the issue of the “bindover” of Glenn. As a site dedicated to U.S. law and legal terms explains,
`The term `bind over' refers to hold a person for trial on bond (bail) or in jail. If the judicial official who conducts a hearing finds probable cause to believe that the accused committed a crime, then the official will bind over the accused, normally by setting bail for the appearance of the accused at trial. Binding over means to order a defendant to be placed in custody pending the outcome of a proceedings against him or her; `The defendant was bound over for trial'. This is a state court procedure.’
Getting back to the opinion, the court then explains that
[t]o bind a defendant over to circuit court, the magistrate at a preliminary examination must `determine whether a felony was committed and whether there is probable cause to believe the defendant committed it.’ People v. Yost, 468 Mich. 122, 125–126; 659 NW2d 604 (2003). Probable cause exists where the evidence is `sufficient to cause a person of ordinary prudence and caution to conscientiously entertain a reasonable belief of the accused's guilt.’ Id. at 126 (citation and quotation marks omitted). `In order to establish that a crime has been committed, the prosecution need not prove each element beyond a reasonable doubt, but must present some evidence of each element.’ People v.. Redden, 290 Mich.App 65, 84; 799 NW2d 184 (2010). Additionally, `[i]f the evidence conflicts or raises a reasonable doubt concerning the defendant's guilt, the defendant should nevertheless be bound over for trial, at which the trier of fact can resolve the questions.’ Id.
People v. Glenn, supra.
The Court of Appeals then explains that the statute under which Glenn was charged provides the following:
`A person shall not intentionally and without authorization or by exceeding valid authorization do any of the following:’

`(a) Access or cause access to be made to a computer program, computer, computer system, or computer network to acquire, alter, damage, delete, or destroy property or otherwise use the service of a computer program, computer, computer system, or computer network.

MCL 752.792 further provides the following relevant definitions:’

`(1) “Access” means to instruct, communicate with, store data in, retrieve or intercept data from, or otherwise use the resources of a computer program, computer, computer system, or computer network.’
* * *
 `(3) “Computer” means any connected, directly interoperable or interactive device, equipment, or facility that uses a computer program or other instructions to perform specific operations including logical, arithmetic, or memory functions with or on computer data or a computer program and that can store, retrieve, alter, or communicate the results of the operations to a person, computer program, computer, computer system, or computer network.’

`(4) “Computer network” means the interconnection of hardwire or wireless communication lines with a computer through remote terminals, or a complex consisting of 2 or more interconnected computers.’ . . .
People v. Glenn, supra.
The opinion goes on to explain that
[t]he unambiguous language of the statute makes clear that a violation has occurred when a defendant has: (1) intentionally and (2) without authorization or by exceeding valid authorization (3) accessed or caused access to be made to a computer program, computer, computer system, or computer network (4) to acquire, alter, damage, delete, or destroy property or otherwise use the services of a computer program, computer, computer system, or computer network.

The only published case from this Court substantially discussing MCL 752.795 is People v. Golba, 273 Mich.App 603; 729 NW2d 916 (2007). There, the main issue was whether the 64–year–old defendant's conviction under MCL 752.795(a) for using school computers to send pornography and emails of a sexual nature to a 16–year–old student was a `sexual offense’ and thus a `listed offense’ under the sex offenders registration act (SORA), MCL 28.721 et seq. Id. at 605, 611–612. In addressing that issue, this Court at least tacitly concluded that the violation of `internal use’ policies satisfied the `without authorization’ and `exceeds authorized access’ elements of MCL 752.795(a):

In the present case, the evidence introduced at trial supported the trial court's findings that defendant violated the school's computer acceptable use policy by downloading pornography on his school computer and that he viewed the pornography on the computer in the presence of a 16–year–old female student. The evidence also supported the trial court's finding that defendant used the computer to solicit sex from the student. . . . The policy expressly prohibits users from accessing pornographic materials or inappropriate text files and prohibited users from sending or receiving e-mails that contained `pornographic material’ or `inappropriate information.’ Defendant's conduct was sufficient to support a finding that he intentionally and without authorization, or by exceeding valid authorization, accessed or caused access to be made to the computer in violation of MCL 752.795. [Id. at 611–612.]
Golba therefore permits `internal use’ policies to define the contours of `without authorization’ and `exceeds authorized access’ in the context of MCL 752.795(a).
People v. Glenn, supra.
Since MCL 752.795(a) creates an offense that is at least similar to the federal crime that is created by the Computer Fraud and Abuse Act [CFAA], 18 U.S. Code § 1030(a)(1), which makes it a federal crime to “access a computer “without authorization or [by] exceeding authorized access”, the Court of Appeals went on to review how federal courts of appeal have applied the second option in § 1030(a)(1).  People v. Glenn, supra.
It began by explaining that
[i]n United States v. Nosal, 676 F3d 854 (CA 9, 2012), for example, the United States Court of Appeals for the Ninth Circuit, in interpreting a provision of the CFAA with similar language, and applying the rule of lenity, concluded that the phrase `exceeds authorized access’ does not extend to violations of employer computer use restrictions, but rather only to individuals whose initial access to a computer is authorized but who accesses information and files that they are not authorized to access. The Second Circuit reached a similar conclusion in United States v. Valle, 807 F3d 508, 523–528 (2015), in interpreting a different portion of the CFAA that also used the phrase `exceeds authorized access.’ Other circuits have reached contrary conclusions. See, e.g., United States v. John, 597 F3d 263, 272 (U.S. Court of Appeals for the 5th Circuit 2010) (holding that employee exceeded authorized access when she accessed information from her employer's database in violation of her employer's use policy); EF Cultural Travel BV v. Explorica, Inc, 274 F3d 577, 583–584 (U.S. Court of Appeals for the 9th Circuit 2001) (holding that violation of an employer's confidentiality agreement was possibly `exceeding authorized access’); United States v. Rodriguez, 628 F3d 1258, 1260–1263 (CA 11, 2010) (holding that the defendant exceeded authorized access when he accessed his employer's (Social Security Administration) customer data against office policy to find women to whom to send flowers).
People v. Glenn, supra.
The Court of Appeals went on to explain that
[t]hese decisions of federal courts, interpreting a federal statute, are of course not binding on this Court in its interpretation of state law, although they may be persuasive. See Abela v. General Motors Corp, 469 Mich. 603, 606–607; 677 NW2d 325 (2004). And, in the instant case, we see no need to determine the full range of conduct to which MCL 752.795 applies. It is undisputed that, while defendant was authorized to access the TECS database generally as part of his job, he was explicitly prohibited from accessing any information relating to family members or close associates. The information he accessed regarding Shovlin was thus information he was not authorized to access. Defendant in fact was aware that he was not permitted to access information regarding persons with whom he had a current or previous dating relationship, as he had on one previous occasion informed his supervisor that he had been in a dating relationship with a woman who had been selected for secondary inspection and did not query the TECS database regarding her; although the supervisor testified that he and defendant did not specifically discuss whether defendant was authorized to query this particular person, he testified as to the general policy prohibiting querying known associates.

Further, the trial court heard testimony that defendant had inquired about this policy in 2010, that he spoke with Special Agent Koshorek of the Department of Homeland Security, and that she informed him that he was not supposed to query `known associates or family members’ in TECS and emailed him a copy of the relevant portions of the TECS use policy. Thus, even if we were to adopt a narrow construction of the phrase `exceeding valid authorization’ under the rationale of the Ninth and Second Circuits, defendant's conduct would fall within the conduct prohibited by the statute. Therefore we conclude that MCL 752.795 applies to defendant's conduct in accessing the TECS system to search for information regarding a close associate. Golba, 273 Mich.App at 611–612. The computer use policy and banner made it clear to defendant that his use was unauthorized and that he could be subjected to criminal penalties. . . . .
People v. Glenn, supra.
The court went on to outline its analysis and its holding in this case:
These decisions of federal courts, interpreting a federal statute, are of course not binding on this Court in its interpretation of state law, although they may be persuasive. See Abela v. General Motors Corp, 469 Mich. 603, 606–607; 677 NW2d 325 (2004). And, in the instant case, we see no need to determine the full range of conduct to which MCL 752.795 applies.

It is undisputed that, while defendant was authorized to access the TECS database generally as part of his job, he was explicitly prohibited from accessing any information relating to family members or close associates. The information he accessed regarding Shovlin was thus information he was not authorized to access. Defendant in fact was aware that he was not permitted to access information regarding persons with whom he had a current or previous dating relationship, as he had on one previous occasion informed his supervisor that he had been in a dating relationship with a woman who had been selected for secondary inspection and did not query the TECS database regarding her; although the supervisor testified that he and defendant did not specifically discuss whether defendant was authorized to query this particular person, he testified as to the general policy prohibiting querying known associates. Further, the trial court heard testimony that defendant had inquired about this policy in 2010, that he spoke with Special Agent Koshorek of the Department of Homeland Security, and that she informed him that he was not supposed to query “known associates or family members” in TECS and emailed him a copy of the relevant portions of the TECS use policy. Thus, even if we were to adopt a narrow construction of the phrase “exceeding valid authorization” under the rationale of the Ninth and Second Circuits, defendant's conduct would fall within the conduct prohibited by the statute.

Therefore we conclude that MCL 752.795 applies to defendant's conduct in accessing the TECS system to search for information regarding a close associate. Golba, 273 Mich.App at 611–612. The computer use policy and banner made it clear to defendant that his use was unauthorized and that he could be subjected to criminal penalties. . . .
People v. Glenn, supra.
For these and other reasons, the Court of Appeals affirmed Glenn’s conviction and sentence. People v. Glenn, supra. 
-->

1 comment:

Gchild_ said...
This comment has been removed by the author.